Database Changes
+ For MySQL and MariaDB, the default character set has been updated to
utf8mb4 to accommodate more unicode characters including emojis.
See README.MySQL and README.MariaDB for details.
+ The Id field in some tables is changed from INT to BIGINT to accommodate
large RT systems that may hit the maximum number of ids. Because this
change touches large RT tables like Transactions and Attachments,
this upgrade step may take a while to run.
+ You also will need free disk space equal to the size of these tables
while running because MySQL, MariaDB, and Postgres will create a temporary
copy of the table while running. If you don't have sufficient space,
it can cause this step to fail.
Notable Changes
+ System configuration options can now be changed by SuperUsers via the
web UI. File-based configuration options are still loaded. Changes made
via the web UI take precedence over file-based options if both are set.
+ If you prefer to keep all configuration in files and disable editing in
the web UI, set this option to 0:
Set($ShowEditSystemConfig, 0);
+ The variables which alter the set of HTML elements allowed in HTML
scrubbing have moved; they have been renamed, and are now found under
RT::Interface::Web::Scrubber.
+ The articles interface on tickets has been simplified, now showing only
a dropdown for selecting articles. This dropdown converts to an autocomplete
box when the dropdown contains more than $DropdownMenuLimit items.
+ With this simplified interface, the "hotlist" feature is no longer
needed as all articles in classes applied to a given queue are available
in the dropdown/autocomplete field. To prevent articles in a class from
appearing for a queue, you can unapply the class from that queue.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=67
Security Updates
+ One of RT's dependencies, the Perl module Email::Address, has a denial
of service vulnerability which could induce a denial of service of RT
itself.
We recommend updating to Email::Address version 1.912 or later. The
Email::Address vulnerabilities are assigned CVE-2015-7686 and CVE-2015-12558.
CVE-2015-7686 was addressed in RT with a previous update.
Email::Address version 1.912 addresses both of these CVEs with updates
directly in the source module.
+ One of RT's dependencies, the Perl module Email::Address::List, relies
on and operates similarly to Email::Address and therefore also has
potential denial of service vulnerabilities.
These vulnerabilities are assigned CVE-2018-18898. We recommend
administrators install Email::Address::List version 0.06 or later.
+ An optional RT dependency, HTML::Gumbo, incorrectly escaped HTML in
some cases. Since RT relies on this module to escape HTML content,
it's possible this issue could allow malicious HTML to be displayed
in RT.
For RT's using this optional module, we recommend administrators
install HTML::Gumbo version 0.18 or later.
* The version of jQuery used in RT 4.2 and 4.4 has a Cross-site Scripting
(XSS) vulnerability when using cross-domain Ajax requests.
This vulnerability is assigned CVE-2015-9251.
RT does not use this jQuery feature so it is not directly vulnerable.
jQuery version 1.12 no longer receives official updates, however a
fix was posted with recommendations for applications to patch locally,
so RT will follow this recommendation and ship with a patched version.
EU General Data Protection Regulation (GDPR)
Several new features were added to support GDPR compliance and are summarized here.
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=61
Security
* RT 4.0.0 and above are vulnerable to an information leak of cross-site
request forgery (CSRF) verification tokens if a user visits a specific
URL crafted by an attacker. This vulnerability is assigned
CVE-2017-5943. It was discovered by a third-party security researcher.
* RT 4.0.0 and above are vulnerable to a cross-site scripting (XSS) attack
if an attacker uploads a malicious file with a certain content type.
Installations which use the AlwaysDownloadAttachments config setting are
unaffected. This fix addresses all existant and future uploaded
attachments. This vulnerability is assigned CVE-2016-6127. This was
responsibly disclosed to us first by Scott Russo and the GE Application
Security Assessment Team.
* One of RT's dependencies, a Perl module named Email::Address, has a
denial of service vulnerability which could induce a denial of service
of RT itself. We recommend administrators install Email::Address version
1.908 or above, though we additionally provide a new workaround within
RT. The Email::Address vulnerability was assigned CVE-2015-7686. This
vulnerability's application to RT was brought to our attention by Pali
Rohár.
* RT 4.0.0 and above are vulnerable to timing side-channel attacks for
user passwords. By carefully measuring millions or billions of login
attempts, an attacker could crack a user's password even over the
internet. RT now uses a constant-time comparison algorithm for secrets
to thwart such attacks. This vulnerability is assigned CVE-2017-5361.
This was responsibly disclosed to us by Aaron Kondziela.
* RT's ExternalAuth feature is vulnerable to a similar timing side-channel
attack. Both RT 4.0/4.2 with the widely-deployed RT::Authen::ExternalAuth
extension, as well as the core ExternalAuth feature in RT 4.4 are
vulnerable. Installations which don't use ExternalAuth, or which use
OBS-URL: https://build.opensuse.org/package/show/devel:languages:perl/request-tracker?expand=0&rev=52
